Check CSP for inline event handlers (#36510)

This also ensures that document now reports all violations and we set
the correct directive.

With these changes, all `script-src-attr-elem` WPT tests pass.

Part of #36437 

Requires servo/rust-content-security-policy#3 to land first

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

tests/wpt/meta/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.ini

@@ -1,7 +1,4 @@
 [report-to-directive-allowed-in-meta.https.sub.html]
-  [Event is fired]
-    expected: FAIL
-
   [Report is observable to ReportingObserver]
     expected: FAIL
 

tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.ini

@@ -1,3 +0,0 @@
-[reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html]
-  [Event is fired]
-    expected: FAIL

tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini

@@ -1,3 +0,0 @@
-[reporting-api-report-to-overrides-report-uri-1.https.sub.html]
-  [Event is fired]
-    expected: FAIL

tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini

@@ -1,3 +0,0 @@
-[reporting-api-report-to-overrides-report-uri-2.https.sub.html]
-  [Event is fired]
-    expected: FAIL

tests/wpt/meta/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.ini

@@ -1,7 +1,4 @@
 [reporting-api-sends-reports-on-violation.https.sub.html]
-  [Event is fired]
-    expected: FAIL
-
   [Report is observable to ReportingObserver]
     expected: FAIL